Malware Analysis Report

2025-01-22 13:28

Sample ID 231222-fjybcshch3
Target 6a65e9327e7c893a50348c396032696f
SHA256 f09de828728d005bf938cd0de9529edb677da888dcdec5f0fc3a2862553e5ebf
Tags
mrblack antivm botnet persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f09de828728d005bf938cd0de9529edb677da888dcdec5f0fc3a2862553e5ebf

Threat Level: Known bad

The file 6a65e9327e7c893a50348c396032696f was found to be: Known bad.

Malicious Activity Summary

mrblack antivm botnet persistence trojan

MrBlack trojan

MrBlack Trojan

Mrblack family

Executes dropped EXE

Modifies init.d

Reads system routing table

Checks CPU configuration

Write file to user bin folder

Writes file to system bin folder

Reads system network configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 04:54

Signatures

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Mrblack family

mrblack

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 04:54

Reported

2023-12-23 09:30

Platform

ubuntu1804-amd64-20231222-en

Max time kernel

151s

Max time network

148s

Command Line

[/tmp/6a65e9327e7c893a50348c396032696f]

Signatures

MrBlack Trojan

trojan botnet mrblack

MrBlack trojan

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/getty /usr/bin/bsd-port/getty N/A
N/A /usr/bin/.sshd /usr/bin/.sshd N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/DbSecuritySpt N/A N/A
File opened for modification /etc/init.d/selinux N/A N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route N/A N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/bsd-port/getty /bin/cp N/A
File opened for modification /usr/bin/.sshd /bin/cp N/A
File opened for modification /usr/bin/bsd-port/getty.lock N/A N/A
File opened for modification /usr/bin/bsd-port/udevd.lock N/A N/A
File opened for modification /usr/bin/dpkgd/lsof /bin/cp N/A
File opened for modification /usr/bin/lsof /bin/cp N/A
File opened for modification /usr/bin/bsd-port/conf.n N/A N/A
File opened for modification /usr/bin/dpkgd/ps /bin/cp N/A
File opened for modification /usr/bin/dpkgd/ss /bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ps /bin/cp N/A
File opened for modification /bin/ss /bin/cp N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev N/A N/A
File opened for reading /proc/net/route N/A N/A
File opened for reading /proc/net/arp N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/cmdline /sbin/insmod N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/meminfo N/A N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/stat N/A N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/cmdline /sbin/insmod N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/gates.lod N/A N/A
File opened for modification /tmp/notify.file N/A N/A
File opened for modification /tmp/conf.n N/A N/A
File opened for modification /tmp/moni.lod N/A N/A
File opened for modification /tmp/bill.lock N/A N/A

Processes

/tmp/6a65e9327e7c893a50348c396032696f

[/tmp/6a65e9327e7c893a50348c396032696f]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/ln

[ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/6a65e9327e7c893a50348c396032696f /usr/bin/bsd-port/getty]

/bin/cp

[cp -f /tmp/6a65e9327e7c893a50348c396032696f /usr/bin/bsd-port/getty]

/bin/sh

[sh -c /usr/bin/bsd-port/getty]

/usr/bin/bsd-port/getty

[/usr/bin/bsd-port/getty]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /tmp/6a65e9327e7c893a50348c396032696f /usr/bin/.sshd]

/bin/cp

[cp -f /tmp/6a65e9327e7c893a50348c396032696f /usr/bin/.sshd]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c /usr/bin/.sshd]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/usr/bin/.sshd

[/usr/bin/.sshd]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c cp -f /bin/ss /usr/bin/dpkgd/ss]

/bin/cp

[cp -f /bin/ss /usr/bin/dpkgd/ss]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c mkdir -p /bin]

/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /bin/ss]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /bin/ss]

/bin/sh

[sh -c chmod 0755 /bin/ss]

/bin/chmod

[chmod 0755 /bin/ss]

/bin/sh

[sh -c cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]

/bin/cp

[cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c mkdir -p /usr/bin]

/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/cp

[cp -f /usr/bin/bsd-port/getty /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c insmod /usr/bin/bsd-port/xpacket.ko]

/sbin/insmod

[insmod /usr/bin/bsd-port/xpacket.ko]

/bin/sh

[sh -c insmod /tmp/xpacket.ko]

/sbin/insmod

[insmod /tmp/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
US 1.1.1.1:53 fk.appledoesnt.com udp
CN 61.147.103.6:55000 tcp
US 193.221.95.203:30000 fk.appledoesnt.com tcp
US 151.101.66.49:443 tcp
GB 89.187.167.5:443 tcp
CN 61.147.103.6:55000 tcp
US 193.221.95.203:30000 fk.appledoesnt.com tcp

Files

/tmp/gates.lod

MD5 4e9cec1f583056459111d63e24f3b8ef
SHA1 7c753b72486156bc11e7416305a9c87ada24439e
SHA256 46b724b2f85d4f7bd485423a04bcf2cffb2c22304fe264aa4da31794b7adae41
SHA512 62849303717bb0749a0977adba43667767a3f7c55b5ff17e57513c90c2dff495cf364e4f959887f9261e5e6b8aeda47b615189bfe44b1ca897e37fb3e43ee365

/etc/init.d/DbSecuritySpt

MD5 dd73a0ce3f569c5a0d76de74401a5798
SHA1 641c5542452e9314bcf9cff2f08bf7d3234aed8f
SHA256 865c89d53e264374f7e4afd9bbd64a1c9a9654cd0a28c8c976d770139f50f0fa
SHA512 5478f6da0f68fe4462536b315abf002923cc32813c1e97647d87412094f2f559afefb64116862ec142aee6f0b1fe4d492419b8c69ed4637b37e1dc5fda45b22d

/usr/bin/bsd-port/getty

MD5 6a65e9327e7c893a50348c396032696f
SHA1 752284ca96950d96c1eeb991d6e5d411a9fac65b
SHA256 f09de828728d005bf938cd0de9529edb677da888dcdec5f0fc3a2862553e5ebf
SHA512 242a3100839b73a76a721744606292c74942035e94fdb35aca8f58993caf972d78e8c0195a139758f74c2f3c58b97e9b2ede41e93ce2c2aa52db008975cbc8e6

/tmp/notify.file

MD5 b31ff023ec1aee3aefb61af256c279d0
SHA1 968fa825f798b87820abfde52b2358b8c1d3e604
SHA256 cd767f87d239ade6e4b7cd4dbfe4501c0b457382982f0376d0608eddd52e99e1
SHA512 7f70d220f510994ea97191ceee543a6b5efd7eee53fac287b0439ee0b2e063797c524ef10938be30aa06fdd723ecd539c3168c5b5f8ccaadaf9cc1f4098de008

/usr/bin/dpkgd/ss

MD5 1dc929b5f2cd12fe6a2fe71140d2a9e3
SHA1 f9995a92bb201b1b7738a39a38570ef0c40b52d2
SHA256 418aae1da62554afe9f260866267af328fd761b3fd6f90f0ea53d543e2fefc38
SHA512 fbed011c595084548db440dfbe485b7d27032a44a6ae9e141fe43f31c8c524ff9347135ab035deb441fca99e5a3794f7bb9194f148aa2f60f1547a7c67d47373

/usr/bin/dpkgd/lsof

MD5 e093dc78225e2a0a25e3b137c1c1e442
SHA1 c29497cfaae729eb576875e4fdfa400640ab16be
SHA256 1190f4dbc7be174de8fd4096c9bf7a28eebfac937d308b7cc533be4a1240d26e
SHA512 fe1cc7a65327732eaaee89f427c10239ba822430e34177842f4681068d78d404b1830d808a2a71b1efcc5f126c6d8c053512237421173aaa150e215a672da6f0

/tmp/moni.lod

MD5 96de2547f44254c97f5f4f1f402711c1
SHA1 9d93f8113d6ac60e97d0769efd6f167a812f620b
SHA256 3cc16f8f6eede20fc56248b7da32561c5996a6d44fdabcbe3fd965d016a0d29c
SHA512 9f259a9a75670b392f770060fca9c0a04c7acd6fefffd5ad5e11a90bbfa7f23f152921ec41c6887464dc02ef9b4d61309cd7d992ff0817d28333147d94add4a1

/usr/bin/bsd-port/conf.n

MD5 1e45e1b3598ec16292269c28b19243f9
SHA1 a3b2cb046bccc74dd7a06667f53a97f525fce860
SHA256 83ea3bbfc2daeed1029dfc8a37cb3f0d70afdbda48a8e1eb659f605d7bfb8bbf
SHA512 d929fa04e2dd9d9ca5471bf7b25a7cf590c1087432ea4e8055e55f288a0587b1bb8e10cf90c8d53353c32a56ed9bdfeb027d841dac3fd98c42665e2f6b5ef8d9

/usr/bin/bsd-port/conf.n

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e